The year in security research

Security researchers were busy in 2015 — almost as busy as the criminals whose work they studied.

Among the notable numbers this year: Low tech 'visual hacking' proves to be successful nine times out of ten, most websites had at least one serious vulnerability for 150 or more days, click fraud costs businesses $6.3 billion a year in wasted ad money, and oh so much more!

Desktop risk

Oracle's Java poses the single biggest security risk to US desktops, according to a report from Copenhagen-based security vendor Secunia ApS, because of its penetration rate, number of vulnerabilities, and patch status.

According to the report, 48 percent of users aren't running the latest, patched versions.

"This is not because Java is more difficult to patch, but the program has a high market share and a lot of the users neglect to patch the program, even though a patch is available," said Kasper Lingaard, the company's director of research and security.

There were 119 new vulnerabilities identified in Java over the past year and the software is installed on 65 percent of computers, according to the report.

Visual hacking

Researchers were able to get sensitive corporate information just by looking around corporate offices in 88 percent of attempts, according to a Ponemon Institute study.

Ponemon sent researchers to 43 offices belonging to seven large corporations who had previously agreed to participate in benchmarking research. The researchers had valid identification as temporary employees, and management knew they were coming -- though the office staff did not.

The researchers spent up to two hours in each office, wandering around, taking pictures of computer screens, and picking up documents marked "confidential" and putting them in their bags -- all deliberately within full view of the regular employees.

In the vast majority of the cases, the regular office staff did not ask any questions or confront the researcher in any way.

Unsafe apps

The average large global enterprise has about 2,400 unsafe apps on the mobile devices in its environment, according to a study from mobile security vendor Veracode.

The firm analyzed more than 400,000 of the most popular applications available in Apple and Google app stores and found that 14,000 of the, or about 3 percent, have security problems, including exposing sensitive data such as location, contacts, and text messages.

CSO salary

According to Computerworld's annual IT Salary Survey for 2015, CSOs saw the highest average total compensation increase, with compensation rising 6.7% from 2014 to 2015. Information security managers saw the second highest increase at +5.3%.

Clickfraud malware

Malware that secretly clicks on ads in order to defraud advertisers might seem generally harmless to infected machines, but can serve as a gateway to more serious infections, according to a report by security vendor Damballa.

Clickfraud malware has been showing up a lot this year, said Damballa CTO Stephen Newman, with about 32 million active infections spotted in the company's customer base during the first half of this year, or about 210,000 per day.

According to the Association of National Advertisers, it costs US businesses about $6.3 billion a year in wasted ad money.

2015 State of Cybercrime

After years of effort and attention to information security, most organizations’ ability to respond to cyberattacks has stalled. That fact is just one of the notable takeaways from CSO's 2015 US State of Cybercrime Survey of more than 500 respondents including US business executives, law enforcement services, and government agencies.

According to this year’s survey, the number of respondents who reported being more concerned about information security risks spiked to 76%, up from 59% in the same survey one year ago.

Healthcare IT

For its Healthcare Cybersecurity Survey, KPMG polled 223 U.S.-based healthcare IT executives, all with revenues of at least $500 million. Four-fifths of those surveyed said that their information technology has been compromised by cyber-attacks. The executives said that external attackers (65%) and sharing data with third-parties (48%) are their top vulnerabilities. The top threats are malware (67%) and HIPAA violations (57%).

Time to patch

On Thursday, October 22, 2015 the developers of Joomla released version 3.4.5 of the popular content management system in order to fix a SQL injection vulnerability that allowed attackers to gain administrative privileges by hijacking an active administrator session.

Less than four hours after the update's release and the publishing of a technical overview by security researchers at Trustwave, attackers were already exploiting the flaw. Within 24 hours there were already Internet-wide scans probing for the flaw and the number of attacks continued to increase over the weekend.

Based on this incident, the administrator of an average website has a time window of less than 24 hours to patch following a serious vulnerability disclosure. If the website is a highly popular one, the reaction time should be within a few hours.

Certifications that pay

According to Foote Partners' "IT Skills and Certifications Pay Index," the CyberSecurity Forensic Analyst (CSFA) certification earned its holders a 16% median pay premium in 2015. In addition, the certification saw a 23% increase in market value in the past 12 months.

"What's sustaining that is so many companies are thinking cybersecurity. They never have before but they are now. They've always had IT security but now they are thinking they can be hacked for any reason," said David Foote, co-founder, chief analyst and research officer with Foote Partners.

Cyber criminal underground

In the early 2000s, the FBI and other law enforcement agencies pretty much dismantled the U.S. cyber criminal underground, said Tom Kellermann, chief cybersecurity officer at Trend Micro, but it's made a resurgence in the past three years and there are now more participants than there were in 2000.

"It's larger because it's providing a wider multiplicity of goods and services," Kellermann said. "They're there for the drugs, weapons, passports, stolen cards, and murder for hire. It's a one-stop shop for criminals to facilitate their conspiracies, to bypass traditional security, and to launder money."

Drugs are the hottest commodity, accounting for 62 percent of all sites. Stolen data dumps account for 16 percent of all sites, fake documents for 4 percent, and weapons for 2 percent. Murder for hire sites account for 1 percent of the North American underground sites, according to Trend Micro.